commit bc19229812eb7c5e3da3e47ed67940b5c6d0f745
author Jooyung Han <jooyung@google.com> Wed Nov 29 14:27:07 2023 +0900
committer Jooyung Han <jooyung@google.com> Wed Nov 29 14:27:07 2023 +0900
tree 89e821450e93a5bf8a8d1ee563fa16340c93c6fd
parent 15d61f73d2175a99373d1e2fbfa7be6ed3e7c3c5

Create secretkeeper HAL APEX

Bug: 276190333
Test: VtsSecretkeeperTargetTest
Change-Id: Ia932b8eaaccf806d7fbfd764db2922a5ff1a9a1b

security/secretkeeper/default/Android.bp

diff --git a/security/secretkeeper/default/Android.bp b/security/secretkeeper/default/Android.bp
index 1c39fa6..8240b89 100644
--- a/security/secretkeeper/default/Android.bp
+++ b/security/secretkeeper/default/Android.bp
@@ -22,8 +22,8 @@
     name: "android.hardware.security.secretkeeper-service.nonsecure",
     relative_install_path: "hw",
     vendor: true,
-    init_rc: ["secretkeeper.rc"],
-    vintf_fragments: ["secretkeeper.xml"],
+    installable: false, // install APEX
+    prefer_rlib: true,
     rustlibs: [
         "android.hardware.security.secretkeeper-V1-rust",
         "libandroid_logger",
@@ -35,3 +35,34 @@
         "src/main.rs",
     ],
 }
+
+prebuilt_etc {
+    name: "secretkeeper.rc",
+    src: "secretkeeper.rc",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "secretkeeper.xml",
+    src: "secretkeeper.xml",
+    sub_dir: "vintf",
+    installable: false,
+}
+
+apex {
+    name: "com.android.hardware.security.secretkeeper",
+    manifest: "apex_manifest.json",
+    file_contexts: "apex_file_contexts",
+    key: "com.android.hardware.key",
+    certificate: ":com.android.hardware.certificate",
+    vendor: true,
+    updatable: false,
+
+    binaries: [
+        "android.hardware.security.secretkeeper-service.nonsecure",
+    ],
+    prebuilts: [
+        "secretkeeper.rc",
+        "secretkeeper.xml",
+    ],
+}

security/secretkeeper/default/apex_file_contexts

diff --git a/security/secretkeeper/default/apex_file_contexts b/security/secretkeeper/default/apex_file_contexts
new file mode 100644
index 0000000..71369a8
--- /dev/null
+++ b/security/secretkeeper/default/apex_file_contexts
@@ -0,0 +1,3 @@
+(/.*)?                                          u:object_r:vendor_file:s0
+/etc(/.*)?                                      u:object_r:vendor_configs_file:s0
+/bin/hw/android\.hardware\.security\.secretkeeper-service\.nonsecure  u:object_r:hal_secretkeeper_default_exec:s0

security/secretkeeper/default/apex_manifest.json

diff --git a/security/secretkeeper/default/apex_manifest.json b/security/secretkeeper/default/apex_manifest.json
new file mode 100644
index 0000000..7287095
--- /dev/null
+++ b/security/secretkeeper/default/apex_manifest.json
@@ -0,0 +1,4 @@
+{
+    "name": "com.android.hardware.security.secretkeeper",
+    "version": 1
+}
\ No newline at end of file

security/secretkeeper/default/secretkeeper.rc

diff --git a/security/secretkeeper/default/secretkeeper.rc b/security/secretkeeper/default/secretkeeper.rc
index f39f9b7..38ee50d 100644
--- a/security/secretkeeper/default/secretkeeper.rc
+++ b/security/secretkeeper/default/secretkeeper.rc
@@ -1,4 +1,4 @@
-service vendor.secretkeeper /vendor/bin/hw/android.hardware.security.secretkeeper-service.nonsecure
+service vendor.secretkeeper /apex/com.android.hardware.security.secretkeeper/bin/hw/android.hardware.security.secretkeeper-service.nonsecure
     interface aidl android.hardware.security.secretkeeper.ISecretkeeper/nonsecure
     class hal
     user nobody